MICROSOFT CONFIDENTIAL
MSTIC Activity Alert – BROMINE 0322-01
Active Targeting of Data Center Management Tools
NOTE: Microsoft notifies customers that are targeted or compromised by this or any other actor related to observed activity. This
update is for advisory purposes only.
Microsoft Threat Intelligence Center (MSTIC) has observed targeted reconnaissance and potential intrusion activity
focused on power management (PDU’s) as well as data center infrastructure management (DCIM) appliances and
applications by an activity group tracked by Microsoft as BROMINE. MSTIC has observed recent activity that
indicates that BROMINE targets datacenters to gain access to pursue their intended targets – the datacenter
customers. BROMINE has historically used brute force attacks, attacks leveraging default credentials, and
exploiting known unpatched vulnerabilities to gain initial access to network devices, including infrastructure
management tools.
MSTIC assesses that BROMINE is a state sponsored activity group originating from Russia that operates to
advance the strategic objectives of the Russian Federation. Given the current high level of tension between Russia
and NATO partners and the US Government’s warnings of retaliatory cyberattacks related to geopolitical events in
Ukraine, Microsoft is distributing this activity alert to share indicators to enable customers to evaluate their risk
and improve defenses against additional attacks.
Background
BROMINE is an activity group that has historically targeted a variety of global industries including organizations
associated with critical infrastructure, energy, aviation, oil and gas, engineering, manufacturing, defense,
transportation, law enforcement and United States state/local government. BROMINE is the Microsoft code name
for this activity group. Other security researchers have used Havex, DragonFly, DragonFly 2.0, and Energetic Bear
to refer to similar or related activities.
Activity Description
Targeting of IT & Data Center Management Appliances and Software
MSTIC has observed reconnaissance and limited probing of publicly exposed IT & Data Center management tools
and appliances, including Software-as-a- Service (SaaS) managed capabilities. The following software or services
have been observed targets in BROMINE operations:
•
•
•
•
•
•
•
•
•
Device42
Nlyte Software
Sunbird dcTrack
Panduit Smartzone
Cormant-CS DCIM
Vertiv Trellis
Geist Environet
Claroty Platform
Eaton BrightLayers Datacenter Suite
MICROSOFT CONFIDENTIAL
Activity Alert – BROMINE 0322-01
1
MICROSOFT CONFIDENTIAL
•
•
•
FNT Command Platform
Various Raritan power and KVM solutions
**Various hardware appliances from manufacturers of power and cooling
Based upon historical methods of BROMINE, it is likely that the actor is using default passwords, credential
guessing and potentially public CVEs to compromise accounts and devices.
Analyst Note: The above list is limited to observations by Microsoft and should not be considered exhaustive as
BROMINE is an adaptable threat actor that adjusts to operational needs to accomplish their objective.
Recommended Defensive Measures
Given the significant threat posed by BROMINE and the non-traditional manner of their intrusions, MSTIC
recommends that customers and partners implement the following specific guidance. For these recommendations
to be effective, ensure that a proper inventory of devices and software for IT and data center management have
been performed to maximize coverage across the environment.
Vulnerability Scanning
•
•
•
Check with the vendor of devices/software for any known vulnerabilities and patch as necessary.
Validate common default/weak credentials are not allowed by performing scans against
devices/software to test for known default/weak credentials.
Perform perimeter scans for publicly exposed interfaces, applications and systems and reduce attack
surface where possible.
Enable Auditing
•
•
•
Enable audit logs at the highest level and granularity as possible. At a minimum, audit conditions
should provide the ability to detect account usage, access, and alterations.
Increase local audit log retention storage and forward audit logs to a centralized platform to enhance
continuous monitoring efforts.
If possible, designate a standard time format (UTC) for logs . This will greatly increase the ability to
correlate logs in the case where an investigation may be needed.
Implement Strong Passwords and Multi-Factor Authentication
•
•
Ensure the removal of any default/weak credentials.
Implement multi-factor authentication methods as an added layer of security for accessing devices.
Audit and Implement Controls for Anomalous Authentication
•
•
•
Audit accounts and proactively rotate existing credentials on highest risk devices.
Review logs for access attempts by known attacker-controlled IPs.
Review audit logs for access attempts and perform additional analysis if suspicious access is identified.
Attack Surface Reduction
•
Remove any unnecessary access from external connections. If there is a strong business justification
for a device/system to be publicly facing, implement necessary technical controls to prevent
MICROSOFT CONFIDENTIAL
Activity Alert – BROMINE 0322-01
2
MICROSOFT CONFIDENTIAL
•
unauthorized access to that device/system (multi-factor authentication, complex passwords,
conditional access policies, etc.). If a device/system is only accessible internally, technical controls
should still be placed to limit access.
Reduce unnecessarily exposed ports, protocols, and services on devices.
Indicators of Compromise
MSTIC is providing the following Indicators of Compromise (IOCs) observed related to recent activity. This list
should not be considered an exhaustive list for audit and review purposes but is provided to assist with known
threat activity. Since BROMINE leverages compromised infrastructure as a proxy, discoveries of these IP addresses
authenticating to your organization should be reviewed for malicious activity and context to confirm an incident.
Additional infrastructure may be used by the actor for post-exploitation and would likely be dedicated
infrastructure in common hosting providers.
INDICATOR
TYPE
DESCRIPTION
37.187.9.26
IPAddress
BROMINE Proxy – Actor Controlled Infrastructure
77.223.107.13
IPAddress
BROMINE Proxy – Actor Controlled Infrastructure
37.48.120.137
IPAddress
BROMINE Proxy – Actor Controlled Infrastructure
135.181.29.229
IPAddress
BROMINE Proxy – Actor Controlled Infrastructure
159.253.23.250
IPAddress
BROMINE Proxy – Actor Controlled Infrastructure
5.196.90.105
IPAddress
BROMINE Proxy – Actor Controlled Infrastructure
88.214.241.146
IPAddress
BROMINE Proxy – Actor Controlled Infrastructure
94.130.168.63
IPAddress
BROMINE Proxy – Actor Controlled Infrastructure
45.55.24.95
IPAddress
BROMINE Proxy – Actor Controlled Infrastructure
176.9.84.83
IPAddress
BROMINE Proxy – Actor Controlled Infrastructure
5.135.182.109
IPAddress
BROMINE Proxy – Actor Controlled Infrastructure
NOTE: The data in this document is provided to you subject to the following conditions: Your organization may use the data
solely for informational, remediation, and defensive purposes. The data may be inaccurate and/or may refer to legitimate but
compromised properties. THIS DOCUMENT IS PROVIDED “AS-IS” AND FOR INFORMATIONAL PURPOSES ONLY. MICROSOFT
DISCLAIMS ALL EXPRESS, IMPLIED, OR STATUTORY WARRANTIES. THIS INCLUDES THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT.
MICROSOFT CONFIDENTIAL
Activity Alert – BROMINE 0322-01
3